Slashdot Mirror
Microsoft Issues Zero-Day Attack Alert For Word
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
That the business world just stop for a few minutes(days, weeks) while they fix this.
If I can't even open my friends' documents then what am I - as a manager to do?
Oh, wait - I don't do anything anyway and my life revolves around Excel.
Nevermind.
The Kai's Semi-Updated Website Thingy
not open .doc ? are they fucking insane? 90% of the business is just that messing with .doc
guess we know who to thanks when productivity drops to zero in the coming days!
In other words, make sure you know what you're opening. But still - wtf. This is very serious.
On a lighter note, the unofficial workaround is to use vi. MS says Emacs too complicated and competes with Windows.
So let me get this straight... For the time being the only safe Word files are new files that other people don't need to open?
But hey, you saved a ton of money on retraining costs.
Maybe not
http://docs.google.com/
Could the problem be avoided by opening the any .doc files with OO.org? i'm assuming that the exploit will only work if the file is actually opened with word, so it would stand to reason that opening it with some other application would be safe. can anyone tell me why i'm wrong?
my pet machine
Good general advice, really. They should put that on the Office packaging, like on a packet of cigarettes.
ant
I think we found a reason.
In the meantime, download and use OpenOffice
"Word" is a generic term in word processing. WordStar existed before Microsoft Word.
So, Microsoft are basically telling us to stop using Word? Sounds like great advice to me -- cheers, Bill!
Tubal-Cain smokes the white owl.
First, an exploit in IE causes MS to tell us to type in links manually rather than click them.
Now MS advises everyone not to use their flagship bloatware? There simply aren't enough R's, O's, F's and L's in the fabric of space-time to express how funny this is.
Or they're just scraping the bottom of the barrel for ideas on how to get people to upgrade to Vista and Office 2007.
I _TOLD_ ya the only version of word worth owning is 97. NOW do you believe me???
Seriously, please be a joke. This shit is going to be hell to try and explain to everyone at work, and then un-explain later, without totally fucking up all the investment in getting them to not infect their machines with all manner of crap. :(
What the heck does zero-day mean?
Making the Ribbon, and then congratulating themselves on how cool it looks, and then making advertisements with people with dinosaur heads.
2cv
Microsoft DOES NOT suggest that
as stated in the summary.What they do say is :
That is nothing more than standard precautions that one should take anyway. If you aren't expecting an attachment, don't open it. If you are expecting it, and it is from a trusted source, go ahead.
Nothing to see here, move along...
And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
Comment removed based on user account deletion
dont open, read or write word documents, sit there at the computer screen, we own your soul!
The actual quote from the Microsoft page is:
If you send an email to Fred saying "Can you send me xxxx", and Fred replies, saying "Here it is", you can probably safely open the attachment. You should just exercise caution when Fred sends you an email out of the blue saying "Hey, read this would you?".
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Microsoft suggests that users 'not open or save Word files,' even from trusted sources.
Uhhhh, right.
How about just opening those files in openoffice, mmmmmkay?
And typical me not reading TF security advisory before posting. The actual wording from Microsoft is:
Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.
> 'not open or save Word files,'
a ult.mspx
Do they call it "The Evolution of Microsoft Office"?
> To help you understand more about the merits of Microsoft Office 2003, we are preparing the new series of FREE training courses for you.
TRAINING COURSE - RULE#1: Don't open or save Word files!
> It's time for an evolution! Act now to take the Microsoft Office 2003 Training Courses and get rid of your current backward office!
TRAINING COURSE - RULE#2: Since you cannot open/save your documents... get rid of your current backward Office!
More Office tips and tricks: http://www.microsoft.com/hk/office/officetips/def
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
You forgot to mention the Vista sound. The put tons of effort into that.
Help stamp out iliturcy.
Thats right, College finals! Just what we need when all those papers are due. "Sorry Prof. I can't write that research paper for you, nor can you open it safely... Guess I should get an A."
The Link Vic! Don't Click The Link!!!!
But we wuz too late...the Reverend...saw the light!
And thus begins the torrent of Microsoft mocking posts. Get your mod-points out and set them to +5 Funny because the laughs are only just beginning. *sigh*
This is a new spin to upgrade to their new Office 2007 product line.
I'm seeing this as a HUGE opportunity to start the text document revolution. You can get really creative with characters and create some really romantic notes with text. Chicks would surely go nuts for a guy who could create character-based graphics with text!
I'm not a troll, but I play one on Slashdot.
Not opening Word files seems like a good idea. Microsoft IP's in them, and that's icky.
Help stamp out iliturcy.
Download it using the links below:
http://www.openoffice.org/
http://www.thinkfree.com/
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I thought the definition of "zero-day" was an exploit issued on the same day as a patch or fix. eg. a new patch is sent out, but contains ANOTHER security hole. Someone issues a new exploit based on said hole on the same day is said to have issued a zero-day exploit. This sounds like someone picking up on the word "zero-day" and making it sound more dramatic than it really is.
Why dont you just RTFA? It clearly says "Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources." But instead of reading, people are just to busy to type "OMG OFFICE SUCKS(etc)" or "OPENOFFICE is the BEST" Sidenote: Currently using 2007 Standard Trial, and liking it.
Yet ANOTHER feature Word has that OpenOffice doesn't. :(
I'm not to worried about this because most users are aware of attachment exploits like this.
I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.
For the home user it is a bit more of an issue. At the same time most people use Yahoo, MSN, Google or some other account that has active scanner that I'm sure will be able to block these in the short run...if not by analyzing the file by analyzing the subject line. Heck, chances are it'll look like spam to my firewall won't let it thru to begin with.
I do wish MS would put out the technical details of this exploit. It sounds like some sort of a buffer overflow. Something tells me it is a graphic insert of some sort, but who knows.
By now you've seen dozens of postings about using OpenOffice as an alternative until Redmond patches this (One might even suspect this is a marketing ploy to encourage everyone to upgrade to Office 2007, but... naaahhh)
Folks - if there's malicious content - why take *any* chances? Upload the document to Google's Writely.com and be really insulated from malicious code!
Any sufficiently advanced technology is indistinguishable from a rigged demo. -- James Klass
Sounds like it means Trusted to Be Risky.
.doc files on my Mac.
Well, I'll just get out my "Trusty" CanOpener application (don't laugh as it works) and use it to open my
Really freaking super BAD timing, man. Thanks one hell of a lot, MicroShaft.
And there is a POLICY here where you absolutely, positively, HAVE TO have MS Office and USE IT here at Woodbury University. I was using OO.o on Linux for the longest time and sending things out as PDF to profs, but one of my profs wanted to COMMENT ON MY DOCUMENTS so no using OpenOffice and getting by.
Unfortunately I don't think ANY of my profs are going to accept the "zero-day Word exploit, sorry, no paper for you" excuse.
Knowledge is power. Knowledge shared is power multiplied.
What is the chance that we will see a fix in a week. As next week is the company's scheduled December Patch Tuesday, but there is no word yet from Microsoft on the timing of its fix for Word.
Ho! But does it affect Word '97 which my company is currently stuck on? Wait a minute... Maybe my company gets the picture... I mean, if you fail to upgrade for long enough do people give up and quit exploring for exploits for it? Or does it just mean that the software is too antiquated have the same vulnerabilities as today's software? Let this be a lesson to you "Early Adopters". Oh nevermind, I want my Word 2k3 (or soon to be 2k7) with or without it's 0-day flaw.
Why not -1 day or -2 day or -99 day? They only way they could tell is if they are in cahoots with whoever released the exploit.
disconnect the triprong MS Virus Enabler: http://www.techexcess.net/images/products/600/6ft- power-cord.jpg
Help stamp out iliturcy.
!!!ROFLMAO!!!
so one gets the heads up until Zer0 Day
Make OO the standard and fork MS.
I'd Tell you all my secrets but I lie about my past
Download here.
How come MS's front page mentions nothing of the incident? Shouldn't their visitors/customers be alerted? ...
Mod points are a dangerous tool. Abuse them wisely.
Good thing I connect via WiFi.
Once you mature professionally, you'll be writing lots of papers and hardly use any of the tools you currently use today - or whatever the replacements are. Then you'll create the PDF files for other to read and reference.
I spend my working hours in outlook, word and excel plus a browser. Then I create PDF v1.6 files so none of the non-Adobe PDF readers can open them. Our lawyers are pansies.
5 years ago, I'd spend those hours in vim, Visual Studio, StarTeam, xxgdb and a few xterms typing 'make'.
Dear Professor,
My final project for the semester is attached as a Word document. If you have any problems reading it, please let me know. Me and everyone else in your address book.
Don't have to worry about grading it. By the time you read this, I will have used the root-kit to grade it myself.
Nice porn, by the way! You dog! We'll make this our little secret.
love,
toodles
Ah, license to ignore any unexpected memos for the next couple of days, excellent
Except that I have been saying that for years. MS Doc format is an untrustworthy format. It has been known to carry unexpected payloads in the past and there are alternatives which are known to be safer yielding similar if not identical results for most people. (And if someone thinks they actually NEED to have VBA in a word document, I'd have to suggest there's probably a better way to program your way out of the situation you find yourself in. I just haven't been able to think of a good reason to have programming code in a Word document and I haven't seen a good example either. Can anyone offer a reason good enough?
ODT works well... hell, for that matter RTF works well enough for most people.
At least there was a warning rather than 43 unannounced patches next Tuesday, I'll say that much for them. Its a shame that there is no patch yet though. Without saying how detrimental this will be for MS, I'm thinking that now I can't tell people that OOo is just like MS Office but free... now I have to tell them that its probably safer too. Ugggh, the people that want OOo and F/OSS software to be as good as MS Office and OS products really bug me, and this story is exactly why.
Ya, sure, MS is the biggest target, so gets more hacker attention. Just the same, being king of the hill is not easy, and F/OSS software makers should do their best to simply keep doing things well, rather than doing them 'just like MS does' as its not working out so good for Redmond today.
Do everything that 80+% of users want, do it very well, and let the Excel gurus and desktop publishing companies do the things for those other 12% or so. That's the biggest bang for buck right there. That 12% might be the biggest spenders, but they also don't care about the cost, or don't want to retrain or convert etc. ad nauseum.
Support NYCountryLawyer RIAA vs People
I take it then, that this vulnurability has been fixed in Word 2007?
Coincidence? I think not!
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
mod me troll
Hold on here! Doesn't the moderator know the rules here? If you say "mod me troll", it means that you aren't allowed to moderate the post as "troll." The cute kicking your toe in the dirt and admitting you aren't good enough is supposed to endear the poster to the harshest of moderators.
Mod me off topic.
Good question. What idiot moderated that redundant?
200 words surrounded by hundreds of banners, spamlinks, skyscrapers, sidebars, flash ads, uggh its no wonder even consumers are blocking adverts when sites like that exist
How is one supposed to exercise caution when opening a Word document? Do click on it slowly and deliberately, or do you click it carefully after giving the PC a pat on the head...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
sticking with Word 97. It's apparently not affected by this.
>Microsoft suggests that users 'not open or save Word
>files,' even from trusted sources."
Most of us figured that out a long time ago. The REAL question is whether you will be able to tell the difference between file corrupted by this exploit and file corruption that just happens because of all the OTHER profound bugs.
Brett
How am I supposed to type my report tonight?
/. for the rest of the night!
Oh yea, disconnect the internet. Goodbye
Don't use Microsoft Office EVER.
Office for MacOS X has 2 versions: v.X (10.x) and 2004 (11.x)
There is no 'Microsoft Word 2004 v. X for Mac'
Microsoft created this deliberately, to promote sales of Word 2007.
you mean feature parity ("we can do 5 billion kinds of tables!") as opposed to being as easy to use or having good performance.
Firefox Power http://firefoxpower.blogspot.com/
ya, it is much better to trust your most secret internal documents to random third party "businessmen" over in whoknowswhereistan after you got *owned*.
Microsoft-successfully extorting money from governments and businesses for a quarter century-and damn proud of it! Never has one company screwed up so much and profitted from it in the history of the world. This is 2006 and people still pay good money for that utterly craptastic zero-warranty rubbish. No wonder the western economy is cruising on credit and trying to outsource reality, the combination of booze and coke at top managerial decision making circles has finally about run the course-straight into the ground. They are running on fumes, inertia and bravado, because it sure isn't based on intelligence.
For the link to the "Sacred Ribbon." I'd heard a lot about it but never had seen a pic that was big enough to decipher. Looks about like every other freakin toolbar I ever saw, only 2-3 times as bloated. Imagine that. Oh well, to each their own...
If you want your life to be different, live it differently.
Did anyone else read that as "Microsoft Ossues Zero-Day Attack Alert For World"?
I'm running office 97 on whine.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
...that so many people have a bad habit of composing even a simple text message in Word, then emailing it out as an attachment. We have a number of people who do this at work, despite being repeatedly reminded that they can simply write their message within their email program. It's aggravating to receive an email that simply reads "see attached", then to actually read the 3-sentence message one has to save the .doc file to their computer, fire up word, and open the file, potentially exposing themselves to whatever the newest exploit is.
That's why the Windows XP Security Guide is distributed a .doc...
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
I didn't get the memo either.
qz
Wait a minute I use Open Office, Never mind.
Just in time for finals!
I'm probably going to damage my "excellent karma" (at least as shown on my personal page when I log in, but....
JESUS H. CHRIST jumping a barbed wire fence, Slash editors. Who's letting these submissions across the wire? While slash is not a world-class journal or trade rag, it ought tot
As MUCH as I tend to slight microsoft, the fake FUD from submitters is likely to cause more irreparable damage than the few of us who are terse and critical toward microsoft.
Please, take more time, or force your editors to work in teams as "two-person integrity" or SOMEthing. This is getting ridiculous.
C'mon, did microsoft REALLY say, "'not open or save Word files,' even from trusted sources."?
Likely NOT. Y'see, SOME of us can recognize the cute little enclosure of single and double quotes. I didn't at first catch it until I read another comment in this thread. When I went back, I got pissed, feeling the submitter is trying to be wiley and cute. But, for every IT or biz exec who considers Linux based on things in Slashdot (probably more and more a mistake these days), another will point to lame submissions such as the one being shredded now...
But, you know what? I am starting to think some mshaft people (who volunteered for projects, ascended the local ranks, gained trust and leadership positions) INFILTRATED Slashdot and is intentionally posting FUD like this to rile up the readership, get them passing bogus information, and setting them up for discrediting in the workplace. This sounds like rumored infiltrations going on with various Linux development groups, where some Human Trojan screws with projects and releases broken code in apps and distros to stymie and screw with companies trying to earnestly deploy Linux-based solutions or interoperability.
If that is the case, then Slashdot needs better vetting.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
This is a response of a complaint that I sent to orange.fr about an infected computer.
Bonjour,
Nous avons bien réceptionné votre mail relatif à la transmission de virus par un de nos abonnés.
Nous vous remercions d'avoir porté ces faits à notre connaissance et vous informons que le nécessaire a été effectué auprès de l'utilisateur fautif : son accès a été résilié ce jour.
Cordialement,
Service Abuse Orange Internet
If only US ISPs did this.
For the non-french-speaking, like me, the Babelfish translation isn't too bad.
--
BMO
>What on Earth are Alice and Bob up to that everyone wants to read what they are writing to each other?
http://www.xkcd.com/c177.html
I'm sure the major spam firewalls will also have signatures in a relatively short period of time. If my email spam/virus firewall will stop this I'm fine.
And what do you do about the exploits already mailed to you, before the firewall suppliers figure out signatures and put them in place?
And if they don't successfully design signatures to catch ALL exploits of the flaw, what do you do about later stuff that exploits the flaw differently, and arrives in the window before signatures for THAT exploit are developed.
And so on.
Reactive anti-malware firewalls and filters will always have vulnerability windows between exploit and update and will usually have multiple windows per vulnerability - because updates are triggered by exploits and signatures tend to be tuned to exploits rather than flaws.
Flaw-fixing has a window of vulnerability too, but only one (if it's done correctly).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Is this a buffer overflow? Is it insert of code? Or, is it just access? Ummm... since this is just the details of HOW... well, if its used then the code behind the exploit could make more than the infected machine vulnerable, and so, ALL WORD docs could be compromised shortly... it IS possible, until the patch comes out. But, then it won't be available to those pirates so it will spread anyway as the computers they've upgraded become infected... *grin*... tx microsoft. :P
I call computer-illiteracy job security
...not sure why files expected from trusted sources can't be infected too.
Max.
The quote in the summary was from TFA and was correct.
Your guidance is wrong. "Probably" means more likely than not. According to Microsoft's own statistics Fred's XP workstation is "probably" a rooted, keylogging spambot zombie. His files safe? Get real.
On the other hand, your machine is "probably" exploited already too, so why not just give up? Everyone else has. It's not like anybody wants to read your boring data anyway, right? Besides, what are we to do? If we can't use Office, we might as well give up and go home. We can just keep clicking away those popups until the machine slows down so much it won't function at all and then Ted from IT will fix it. You didn't really like google anyway -- that targeted search assistant is so much better at finding just the right thing. It's like it knows you.
Never mind.
Help stamp out iliturcy.
I'm so glad that I just switched to open office.
"Do not start Windows, even when using trusted computing"
I like Notepad better anyway.
Microsoft has just taken a while to get it. See reason four.
If Microsoft is doing this to boost their next Office, they are going to be surprised by the number of people who migrate to Open Office. Really, these kinds of screw ups are nails in their coffin.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
It is what I am using.
FTFA:
Many security experts said they believe corporate espionage is the main motive behind the attacks.Wow! If that doesn't make Corporate America take another look at an MS alternative office suite I don't know what should!?!?!?
Does anyone else find it cute that Word 2007 isn't listed as being vulnerable ? That would certainly explain why they're in no hurry to release a fix. The "fix" is to upgrade :P How convenient that Office 2007 was just released last week. You know it only takes one loaded document to scare someone's PHB into buying the "fix" impulsively. Some will surely upgrade preemptively just out of fear.
I'm not an anti-MS fanboy at all, but I do scratch my head when I see these things. Exploits every week, sloppy code all over.. why is it that a huge company like Microsoft, with its enormous installed user base, thus guaranteed income, has such tremendous issues with deadlines and quality control ? Why was Windows 95 almost Windows 96 ? Why is Vista still not out ? Are there not enough skilled developers in the world for them to hire ? Do they need better tools to assist the massive workflow ? What about the resources spent chasing down exploits and producing fixes, and the collective waste of bandwidth, labor and mindshare of "patch tuesday" all over the world... They have a company that could so easily take the lead and commit ample resources to new developments and experimental computing paradigms, instead they spend all their time playing catch-up. The longer they fidget, the bigger the opportunity for a young, dynamic contender to shape up, be it Linux, Mac, or even a newcomer. Eventually, they will meet an opponent that won't sell out; one that has the balls to stand up to them and bite off some of MS' market share, rather than trading their own defeat for some shiny MS stock. By then it will be too late to turn the sinking ship around.
-Billco, Fnarg.com
They are called women. Oops.
Show of hands:
How many here remember: Concept?
LedgerSMB: Open source Accounting/ERP
Word was hung and using all the CPU. All Microsoft software I've ever dealt with has been crap.
Luckily it seemed to just be a corrupt document, and the version is Office Mac: Vx from 2001, so it looks like I might be safe. And my wife isn't an administrator on her own computer so that makes me feel a little better.
Still, I really should get those backups running...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Wow... that's pretty interesting. I just read MS's technet bulletin, and it says nothing of the sort.
Yep, pretty amazing, how a Slashdot posting could be so wrong about something concerning Microsoft.
Haiku is coming along, slowly but surely. Well, I say slowly, but i really don't know anything about time-tables for developing a modern OS. It's recently passed it's 5th birthday and is almost feature complete, which is to say, replicates all of the functionality of BeOS R5. almost all pieces of it are still considered "alpha" quality, though. Some of it is actually an improvement, actually. the networking in BeOS was entirely in user-space, which helped for system stability, but sucked for a good number of network tasks. haiku has moved networking into kernel space, but stays binary compatible with R5 (unlike Be Inc.'s never officially released kernel-space networking stack BONE). The file system replacement is in fact FASTER than the original BFS and is written in C++ (BFS was written in C with some assembler, iirc).
one of the neater aspects of the project is that, b/c of the extremely modular nature of BeOS's design (the so called "kits" into which the system was divided) testing any part of haiku is as simple as downloading one piece of it and replacing the old BeOS kit with the new haiku kit.
if anybody out there is really interested, one can still download the free-as-in-beer BeOS R5 from bebits.com. it's, of course, starting to show it's age, so you might have to download one of the hacked versions (the so-called Max or Developer editions) of it to get it to install and boot on some newer machines. A little searching around on bebits and google should provide all the needed info.
i'm really looking forward to the day (hopefully soon) when someone can donwload and burn a fully-installable disk image from the haiku site. i can't imagine that a really nice, user-friendly, FOSS, gui OS would be anything other than a great boon to the FOSS community. until then, i've still have my old R5 machine to play around with on occasion (i actually do some serious work on it still).
I noticed that wordpad is also not on the affected software list... It might be a way to view Word documents without Word (or downloading additional word processors). Anyone know if it is also affected?
What GP was mad about is not that user processes can have bugs, but that user processes could be in a position to threaten the stability of the operating system. He's wrong about the nature of the threat we're talking about here, but that's a separate point.
Thanks a lot, Microsoft.
-Steve Jobs
Older versions of Notepad were vulnerable.
I've lost count of the times I've gotten security updates to notepad.
Ribbon for the win, keyboard accessible menus are so last century.
> Do not open or save Word files that you receive from un-trusted
> sources or that you receive unexpectedly from trusted sources.
You are picking nits.
Yeah, I know, Slashdot quoted Eweek who misquoted Microsoft. I just don't care.
Do you think we are somehow immune from infection by a "trusted" source? No? Then stop complaining. We don't need more lawyers in the world. More signal, less noise.
BTW, how many times did the sacred Microsoft security page use the term "root-kit"? Exactly zero. I'm glad someone is reading between the lines.
Grumble, grumble.
I sense a great disturbance on the net - it's as if 280 million adware infected PC's were suddenly shut off!
r ket_estimate/
http://www.theregister.co.uk/2005/02/02/adware_ma
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
moi
Let me get this straight: the current version is security-flawed to the point of an exploit being able to destroy your system, or worst, hijack it. The NEW version is NOT available for the Mac and won't be until March (and we ALL know how reliable Microsoft release dates are, don't we?).
And the recommendation is not to open any unexpected Word Documents until a work-around, patch or other fix comes in.
And it's the holidays... and the NEW version of WORD JUST came out.......!
As Yoda would say: "Pass the smell test, this does NOT!"
I do not trust a lot of my colleagues at work,and the rest of them do unexpcted things all of the time. What should do?
Look, if you want OpenOffice to have the capability to take down a machine merely by opening a compromised document, you can damn well code a patch.
Sheesh.
Soylent Green is peoplicious!
There's simply no way to check that Word isn't scanning your documents and sending info (perhaps about projects or business releationships competitive with Microsoft) to Redmond next time it does a windows update.
Probably comes in handy in DOJ investigations too - hope they didn't collect their info in
You say Microsoft wouldn't do that? Well, I'd say Google wouldn't do that either; so I'd say overall you're about the same safe either way.
And yes, open source really is different - grep the source for "open" or "socket" system calls and you can see if it does anything tricky.
you will be vindicated. I have stuck with Office 97, because I have never thought that any of the "improvements" that M$ has made in newer versions of Office were worth the price of a new program. It is now too old to be affected by the latest virus. Lord, this is sweet.
In the land of the blind, the one-eyed man is king.
"Simply opening a word document will launch the exploit."
Wow, that's a scary exploit. I don't even need to receive a copy of the exploit, simply opening a word document will launch it.
There are no pre-patch workarounds available. Microsoft suggests that users "not open or save Word files," even from trusted sources. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," the company said.
e w_Age) to there advantage for better or worse.
The MSRC (Microsoft Security Response Center) has activated its incident response process, which includes coordination with anti-virus and security vendors and the creation of a software update.
According to the advisory, Microsoft may consider an out-of-cycle patch if necessary.
At press time on Dec. 5, there were no detection signatures available from anti-virus vendors.
This is the second major Microsoft Word zero-day attack this year. In May 2006, a sophisticated attack originating from China and Taiwan was detected using a Trojan
dropper and a backdoor with rootkit features to mask itself from anti-virus scanners.
There have been several zero-day flaws--and targeted attacks--found in Microsoft Office applications, including Excel, PowerPoint and Publisher. Many security experts said they believe corporate espionage is the main motive behind the attacks.
Personally i think they are abusing the law of attraction http://en.wikipedia.org/wiki/Law_of_Attraction_(N
Sometimes I feel like I'm the only one who pays attention. Fuck, MS just started checking MS Office installations for 'validity' and shutting them down in the Windows Update procedure, and suddenly now, 3 weeks before Vista launch, MS is coming out and saying there's a MAJOR Word flaw.... Geez... can we all stretch our brains to figure out what this is about?!
Have you tried Latex? It does essentially the same thing - it separates out the formatting from the content, and lets you get on with writing the content quickly and easily. I recently switched to it from Word, and found that although it didn't have the nice graphical interface, once I'd got a style set up it actually sped my work up. If you're on a Mac, try MacTex from http://tug.org/mactex/ .
Social Security - it's better than Social Darwinism.
Sure, but "Honor thy father and thy mother" and "love thy neighbor as thyself" trump them both.
Comment removed based on user account deletion
I've noticed now how nitpicky Windows XP has become about the authenticity of itself installed on a computer. For a while now, users of XP who want to update have to go through an annoying 'genuine validation' process. At certain points, Windows will simply not have access to software updates until MS is convinced that they'll go on a legal copy of their software.
So now, every few months they can come up with a new authentication scheme, and a week after they are introduced (and before they are cracked), Microsoft unleashes some sinister exploit that promises to do terrible things. When the user with a questionably authentic copy of Windows/Office/etc. goes to download the security patch for this exploit, he or she isn't allowed to do so due to the inability to validate the copy of the software as 'genuine'.
So the average Windows user who has a pirated copy is given the choice to either pay for the software or face some giant threat to their computers.
The Internet is generally stupid
Eh.. if you really wanted to I'm sure there would be a way of checking exactly what you send back to the Windows Update servers. These days it's dangerous just browsing the net or opening an email on a PC using Microsoft products, it's not just obvious stuff like using Windows Update that is the security risk.
which is totally what she said
Forgive my ignorance, but if a lot of the buffer overflows occur because of strcpy() when alternatives like strncpy() exist, why isn't that call deleted from the library? Sure, lots of users' programs would stop compiling *, but after some gnashing of teeth at the developers, and some hurried sed/awking, we'd be rid of this pestilant plague.
./configure --with-strcpy-is-insecure-and-i-know-it-and-am-too -lazy-to-fix-it option could be left for those that **couldn't** be changed.
A
Get your own free personal location tracker
How does this affect the Mac?
What kind of a design makes using a word processor dangerous. That by merely opening a text document you can totally compromise the system.
davecb5620@gmail.com
"Pregnant women should not open Word documents. Opening of a Word document can seriously effect the health of your unborn child"
My office makes fun of me for excessive unification of arboreal products, then they ask to borrow my copy of the bid because they lost theirs, and can't find where they scanned it.
Here is a message we sent to customers. Links were added for posting on Slashdot:
Everyone,
Don't use Microsoft Word. Use Open Office instead. This advice remains effective until Microsoft releases a patch, and it is installed.
Microsoft just issued a security advisory warning people not to open Microsoft Word documents unless they have the latest version of Microsoft Word, which was just released, and costs $329 for the upgrade, or $679 for the most powerful full version.
On the security advisory web page the relevant parts are buried in sections that aren't visible unless you click on them:
"Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."
"We recommend that customers exercise extreme caution when they accept file transfers [files] from both known and unknown sources."
The vulnerability is being actively used to infect user's computers. That's the meaning of the phrase "zero-day" attack in the first sentence of the advisory. None of the anti-virus software vendors have made signatures for this attack yet, which means that anti-virus software CANNOT protect against an attack.
The reason Microsoft says to "exercise extreme caution" with files received "from both known and unknown sources", is that no one, not even computer consultants, can know whether a source can be trusted, since the anti-virus vendors have not yet made a method of detection for this vulnerability.
Michael
Wordpad wasn't listed as affected.
"C'mon, did microsoft REALLY say, "'not open or save Word files,' even from trusted sources", davidsyes
"Recommendation: Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file", microsoft.com
was SLASH! KNOCK OFF THE FUD SUBMISSIONS! (Score:5, Interesting)
davecb5620@gmail.com
was Re:Article Summary is Flamebait
davecb5620@gmail.com
What's the difference in meaning if any between:
..
"Microsoft suggests that users 'not open or save Word files,' even from trusted sources.", kdawson
and
"Do not open or save Word files that you receive from un-trusted or that are received unexpected from trusted sources", MS
was Re:Misleading summary
davecb5620@gmail.com
Comment removed based on user account deletion
"Could the problem be avoided by opening the any .doc files with OO.org?"
The problem for a lot of msWord users is that the docs don't display or print correctly in OO especially if using lots of embedded frames etc. A simpler solution that would avoid even zero day exploits is to set the Word Viewer to default for Word docs and write a script that deletes normal.doc at boot. Use Firefox or Opera for browsing use thunderbird for email.
what about OO.org? (Score:5, Insightful)
davecb5620@gmail.com
Seriously. Cut the crap with this silliness. I can't open ANY Word doc? Please. That's just dumb.
Terrible karma and aiming lower, which in this environment of one-sided reason, is higher.
They said this one affects Office/Word 2004 on Mac as well. I wonder what the exploit does on a Mac?
I drank what? -- Socrates
I initially thought about using OpenOffice; I think it's probably the best solution overall, since it's free and you can get it right now. But let's say you absolutely need to work in Word -- how can you make sure that a document is safe?
If you opened a document in OO, and then saved it, would the resulting document be guaranteed to be clean? What if you saved it as an RTF and then opened that back up in Word? That would probably lose a lot of people's fancy formatting, but it would preserve most of the content and markup. I suppose the most paranoid thing to do would be to save all documents out to ASCII and then open them up in Word, but at that point you've negated any reason to use Word in the first place.
If OO tries to open a file, and it has a maliciously-crafted (which to OO, I assume, would appear corrupt) binary object in it, will OO refuse to open the file / remove the corrupt object? Or will it just ignore it and continue on its way?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Maybe the method Word uses to render itself - when used on a certain font with the right combination of letters - infects your brain somehow. I guess it's working on the same principal as flash ads.
which is totally what she said
... anything resembling "Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
It says to be extremely cautious.
FUD, from Slashdot? No way...
Loading...
If you aren't expecting an attachment, don't open it.
My god, have ANY of you people ever actually worked in an office before? Having to manually confirm every e-mail attachment I receive in a day would take, well, the entire day.
I can't believe this comment keeps getting modded "Insightful".
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
So... a "zero-day" attack used to be one that appeared on the same day as the piece of software that was being attacked. Obviously, somehow the meaning of "zero-day" has changed. What does it mean now? (As far as I can tell, it's just meaningless padding, wehich means that a perfectly useful concept [that of an attack that appears on the same day as the software] now has to be explained periphrastically instead of using "zero-day". I hope I'm wrong, and that "zero-day" still does have a meaning, albeit one that's changed.) Anyone care to enlighten me?
Gee, "Microsoft Recommends" is the part of this story that is skewed in a deceptive manner.
y /929433.mspx under the heading of "Workarounds for Microsoft Word Remote Code Vulnerability:" Suddenly it means something completely different. It actually describes they way you should ALWAYS treat any attachment.
The story above lists the exact quote, "not open or save Word files" as part of the sentence, "Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
The actual quote from Microsoft's site is, "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.", which can be checked at http://www.microsoft.com/technet/security/advisor
Sure, we all know that MS makes stuff with lots of holes in it (like most everyone else) but that is no excuse for flagrantly deceptive reporting. I get enough of that on TV every night...
One more reason for me to stick with Word 5.1a, for writing term papers (like that's ever going to happen again). 'Course, this (and SMAC/X) will keep me from moving to Intel based Mac.
I drank what? -- Socrates
I work at a small software company and my boss doesn't seem to understand why I use OpenOffice for all my stuff. Maybe I'll send him this article.
I caught the Mountain Wumpus! He gave me his treasure chest ($100) to let him go free again.
But I *KNOW* that Microsoft Word is not transferring whatever I type to Microsoft or other third party (the network traffic would be a giveaway)... and I also *KNOW* that Google keeps the full text (and all revisions) of whatever I write in Google Docs.
Even if they "do no evil", they could be forced by law (or hacking) to release my documents.
Anyway, Google Docs is not a replacement for MS Word (yet, at least)... but rather to Wordpad. It lacks even basic word processor functionality. I still like it and use it, but more in a collaborative "closed wiki" fashion.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
Since Social Security in no way stops you from honoring or loving anyone, I'm a bit uncertain what's your point. After all, all Social Security does is ensures that even those of us who don't have children or rich friends won't starve when we become too old or sick to work.
Unless, of course, you are suggesting that it's good to have people starve on the streets so you can look good by giving them a few bread crumbs ? That particular line is what I've heard some people use to argue against Social Security...
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Imagine if they took the "Vista Sound" team and put them on fixing this bug!
We'd end up with a Word that would play a funeral dirge when you opened a compromised e-mail.
"...Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
Phew! I almost clicked the save button on my 25 page term paper before I read that! Thank God for Slashdot!
Microsoft is just taking the paperless office to the next level - the documentless office.
What he can't kill, he has sex on. Trent.
If Microsoft hasn't updated the Mac version of Office to be Universal Binary, Word is already running under Rosetta on Intel Macs. So the exploit should work on both plaforms. Possibly a little slower on the Intel machine due to the extra layer of emulation. :)
[UID-HeinzIntel]
That's what a retirement fund is for.
What's that? You didn't think to start one?
Sucks to be you, the world's not fair.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
So there's no patch, there's no practical workaround, there are no av signatures, and there is no official explanation of the exploit mechanism. Hmm. What's a guy to do?
From:
To: All_Employees
Subject: Corporate Security Alert
Significance: High
Microsoft has announced a security alert pertaining to MSWord - probably all versions. Microsoft recommends not opening any MSWord documents from anyone, until further notice. Please see attached for details.
Thank you,
IT Department
[attachment - MSSecurityAlertDetails.doc - 1,253KB]
The thing that astounds me more than that is that the Viewer is affected too. One step closer to a PDF based virus, I'd say... Adobe, stay away from active content. I mean really, who needs active content in a word processing document? Presentations I understand, so seriously, are you going to put active content in your Ph.D thesis? Why Why Why???
well, i'm still using the outdated and unsuported office '97, so I guess I'm safe :)
Life is pain. Anyone who says differently is selling something.
A Word document is a stream of COM data objects. This is one reason why Word documents can't be made backwards compatible, and since it's in Microsoft's interest to force users to upgrade over time they have little incentive to change this design.
The problem is that unless they take steps to prevent it, and COM object that's supported on the system can be theoretically includes or referenced, including ActiveX controls. Just as in Internet Explorer and Outlook, they try and filter out "dangerous" components... but over the 7 years since they introduced IE they've been unable to solve the problem.
And they have too much face tied up in the design to easily back out even if they wanted to. And, as noted, they have little reason to want to.
One more reason for me to stick with Word 5.1a, for writing term papers (like that's ever going to happen again). 'Course, this (and SMAC/X) will keep me from moving to Intel based Mac.
It hasn't stopped me from moving to an Intel Mac. I just don't get rid of my old machines and use a KVM switch. Though the PowerMac 7500/100 isn't getting much use anymore, even with the B&W G3's original processor in it (the B&W was upgraded to a faster G4 than my stock G4 Cube has).
Now if only I could find a KVM solution for the older Macs that use DA-15 and ADB, though I'd probably have more luck finding DA-15->VGA and ADBUSB adapters.
The networking problem is child's play compared to that. Except... does anyone know if, after all the necessary bridges are connected, I could boot my Apple IIgs off of NAS?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
at how many professors would accept "zero-day Word Exploit." In fact I think I have a solution for you.
Does anybody know if Open Office is affected?
Can you safely open (infected) word documents in OO at this moment?
Privacy is terrorism.
Should != does. I ran the following file hello.cpp through the version of G++ included with the most recent MinGW bundle:
The size of the stripped executable hello.exe was 266,240 bytes. Compare hello.c, which ideally should be semantically equivalent:
GCC produced a 5,632 byte stripped executable.
we have processing power nowBut if that power runs out in 60 minutes because that was the largest battery that could fit in the device, what good is it? Even on desktop PCs, why are we writing the majority of applications in C++ and not, say, Python if Python is so much safer?
C or C++ are languages btw, you have several compilers that process C or C++ code, so are you saying a compiler you've used or think MS has used is flawed or the language in itself?The C++ standard is eight years old. If the two most popular implementations (Microsoft and GNU) have the same flaw by now, then it is more likely than not that the language itself has a flaw that shows in all conforming implementations.
for any people that share their apps with relatives and can't update. :p
A CEO, whose name I have changed to James, replied to version he received of my message above: "OK, so what do I do if I receive a WORD doc that I am expecting, from someone I know? If I need to see it, what should I do? Any idea how long until this latest craziness is over? James" My reply:
.DOC
file or .RTF file to the hard drive and open it in Open Office. You
have the latest version of Open Office, which is very compatible with
MS Office. If you like, we will make it so that all .DOC files open
automatically in O.O. Writer throughout [the organization].
.DOC
format as well as the ISO (International Standards Organization) Open
Document Format.
James,
There is no vulnerability in Open Office Writer. Just save the
I have no idea when this will be fixed. However, Microsoft must know more than is being said, since the company is using such strong language: "exercise extreme caution [with files] from both known and unknown sources."
When I try to translate that from corporate-speak to English, I wonder about the meaning of "exercise extreme caution". How would I do that? Would I hold my finger to the side of my nose very tightly and hope, hope, hope? Is there an animal in a closet called extreme caution, and I would take it out for exercise?
Since there is no way to know if a file is infected, and since merely opening an infected file causes your network to be infected, my translation of that statement from Microsoft is:
"Don't use Microsoft Word."
The following alternative translation is preferred by many computer professionals who have been discussing Microsoft's advice online: "Pay $329 for an upgrade to the latest version immediately." I won't bother with the corporate-speak version of my answer to that. The English version is "When pigs fly".
You now have an excellent opportunity to become accustomed to Open Office, which is better anyway, and saves files in Microsoft Word
It's a weird world out there, James. If you want to put your computer systems at risk, you will have to pay a lot more for software you already own, for a version that is very little different, with the assurance that there will be other severe vulnerabilities. If you want relative safety, using software that is less quirky, you will have to keep your money in your pocket.
Michael
For starters, the competition gave out local accounts to anyone on request. Hardly a situation that's going to happen on a normal user's Mac.
Second, all that happened was that the hacker used an Apache privilege escalation exploit to modify index.html. That's it.
That entire Apple-hating post you just read was based on someone modifying index.html via an Apache bug. I've never seen such vitriol over something so lame. Face it, Microsoft has another embarrassing flaw. Citing lame stuff like MySpace vulnerabilities or old 2003-era AirPort bugs isn't going to change that. Deal with it and move on.
Gmail has previewers for M$ Office documents.
I ALWAYS use them for reading Office documents in incoming mail (I forward them to Gmail. Takes an extra 2 seconds).
Perhaps it's a good time for Google to make it work better. Like show images as an option.
What kind of exploit is this? If I run Word in a limited Windows account, am I not protected? (what if I create an account just for reading Office docs that cannot be trusted in the same environment as other things?)
Then what are you complaining about ?
And the world would be a lot less unfair if people stopped using the perceived unfairness as an excuse to behave in ways that make it even more unfair.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
This is about every known version of word having a vulnerability for which there is no patch or update. This isn't the place to argue about Mac OS. This is about an unleashed weapon of mass destruction like we have been worrying about where the infrastructure of the country that includes millions of Windows systems running Office are now vulnerable to the most simple of attacks. Microsoft better have a lot of "Error and Ommisions" insurance. They are already being sued by at least one state for releasing insecure buggy code. This situation is intolerable. It throws most companies into a tizzy of paranoia about the use of Word documents. I think there is a good case for Open Office today. I simply don't use Microsoft Office anymore. This isn't about I told you so. It must be obvious that cracks are appearing in the Microsoft code monopoly. Microsoft fanboys may want to reconsider their position.
The Free Software Fondation is still under shock but they plan to shortly release their first ever news bulletin where they DO agree with Microsoft.
;-))
Do not open or save a Word document, yes!
Could Microsoft also recommend not to use the Windows(TM) Operating System ? the FSF is ready to offer them a Free (as un beer) DVD with a Free (as in speech) Operation System on it! (well at least somebody told me so
Like for example win32pad, a notepad replacement:
http://www.gena01.com/win32pad/
Just forget word and/or pretty formatting for a few days, and learn to spell!
Don't blame me, it's usually 2 in the morning when I post
Can I assume that the only reason Word 97 is not mentioned on the list of affected products is because Office 97 is no longer supported? Or would I be justified in saying "Whew, we dodged a big one ere by sticking with trusty old Office 97 in this company?"
Is there a non-MS article somewhere that may answer such questions?
It seems to me that this may be an effective way to finally get people to drop Office 97.
I think that the only reason Word 97 is not listed as affected is because it is no longer supported.
Then what are you complaining about ?
People who take my money in an effort to make things fair for the poor/retired/whatever. I have a job and am saving money for retirement. Why should I pay for those who fucked up?I used to get high on life, but I developed a tolerance. Now I need something stronger.
Thank you for demonstrating why Social Security needs to be enforced by force and the State, rather than left for voluntary charity.
Now please answer my question: if "Sucks to be you, the world's not fair" is your answer to those less fortunate or wise as you, then what grounds do you have to complain when you perceive it being unfair against you ? Maybe it sucks to pay for those who fucked up - or were fucked over - but hey, the world's not fair, right ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Stereotypes are there for a reason!
Yeesh.
Obviously you are a necro-pedo-zoophile. And before you say prove it, you prove you are not.